Biometric Template Similarity Based on Feature Locations

ABSTRACT

The present invention relates to a method and a system of determining correspondence between location sets. A basic idea of the present invention is to provide a scheme in which correspondence between location sets is determined. A feature location set (X) comprising a number (n+1) of components is transformed into a feature vector that can be used in an HDS. Therefore, a feature density function (ƒ js (x)) is created. A feature vector (X F ) for the HDS is chosen to be a sampled version of the feature density function (ƒ X,g (x) ), which results in feature vectors of equal and finite dimensions regardless of the number (n+1) of features that are present in the biometric template X T  from which the location sets is derived. Thereafter, a distance (d) between two feature location sets (X, Y) is determined. The distance (d) between the sets is chosen to be the Euclidian distance between the corresponding feature density functions.

The present invention relates to a method and a system of determiningcorrespondence between location sets.

Authentication of physical objects may be used in many applications,such as conditional access to secure buildings or conditional access todigital data (e.g. stored in a computer or removable storage media), orfor identification purposes (e.g. for charging an identified individualfor a particular activity).

The use of biometrics for identification and/or authentication is to anever-increasing extent considered to be a better alternative totraditional identification means such as passwords and pin-codes. Thenumber of systems that require identification in the form ofpasswords/pin-codes is steadily increasing and, consequently, so is thenumber of passwords/pin-codes, which a user of the systems mustmemorize. As a further consequence, due to the difficulty in memorizingthe passwords/pin-codes, the user writes them down, which makes themvulnerable to theft. In the prior art, solutions to this problem havebeen proposed, which solutions involve the use of tokens. However,tokens can also be lost and/or stolen. A more preferable solution to theproblem is the use of biometric identification, wherein features thatare unique to a user such as fingerprints, irises, ears, faces, etc. areused to provide identification of the user. Clearly, the user does notlose or forget his/her biometric features, neither is there any need towrite them down or memorize them.

The biometric features are compared to reference data. If a matchoccurs, the user is identified and can be granted access. The referencedata for the user has been obtained earlier and is stored securely, e.g.in a secure database or smart card. In authentication, the user claimsto have a certain identity and an offered biometric template is comparedwith a stored biometric template that is linked to the claimed identity,in order to verify correspondence between the offered and the storedtemplate. In identification, the offered biometric template is comparedwith all stored available templates, in order to verify correspondencebetween the offered and stored template. In any case, the offeredtemplate is compared to one or more stored templates.

Whenever a breach of secrecy has occurred in a system, for example whena hacker has obtained knowledge of secrets in a security system, thereis a need to replace the (unintentionally) revealed secret. Typically,in conventional cryptography systems, this is done by revoking arevealed secret cryptographic key and distributing a new key to theconcerned users. In case a password or a pin-code is revealed, it isreplaced by a new one. In biometric systems, the situation is morecomplicated, as the corresponding body parts obviously cannot bereplaced. In this respect, most biometrics are static. Hence, it isimportant to develop methods to derive secrets from (generally noisy)biometric measurements, with a possibility to renew the derived secret,if necessary. It should be noted that biometric data is a goodrepresentation of the identity of an individual, and unauthenticatedacquirement of biometric data associated with an individual can be seenas an electronic equivalent of stealing the individual's identity. Afterhaving acquired appropriate biometric data identifying an individual,the hacker may impersonate the individual whose identity the hackeracquired. Moreover, biometric data may contain sensitive and privateinformation on health conditions. Hence, the integrity of individualsemploying biometric authentication/identification systems must besafeguarded.

As biometrics provides sensitive information about an individual, thereare privacy problems related to the management and usage of biometricdata. For example, in prior art biometric systems, a user mustinevitably trust the biometric systems completely with regard to theintegrity of her biometric template. During enrolment—i.e. the initialprocess when an enrolment authority acquires the biometric template of auser—the user offers her template to an enrolment device of theenrolment authority which stores the template, possibly encrypted, inthe system. During verification, the user again offers her template tothe system, the stored template is retrieved (and decrypted if required)and matching of the stored and the offered template is effected. It isclear that the user has no control of what is happening to her templateand no way of verifying that her template is treated with care and isnot leaking from the system. Consequently, she has to trust everyenrolment authority and every verifier with the privacy of her template.Although these kind of systems is already in use, for example in someairports, the required level of trust in the system by the user makeswidespread use of such systems unlikely.

Cryptographic techniques to encrypt or hash the biometric templates andperform the verification (or matching) on the encrypted data such thatthe real template is never available in the clear can be envisaged.However, cryptographic functions are intentionally designed such that asmall change in the input results in a large change in the output. Dueto the very nature of biometrics and the measurement errors involved inobtaining the offered template as well as the stored template due tonoise-contamination, the offered template will never be exactly the sameas the stored template and therefore a matching algorithm should allowfor small differences between the two templates. This makes verificationbased on encrypted templates problematic.

“Capacity and Examples of Template-Protecting Biometric AuthenticationSystems” by Pim Tuyls and Jasper Goseling, Philips Research, discloses abiometric authentication system in which there is no need to storeoriginal biometric templates. Consequently, the privacy of the identityof an individual using the system may be protected. The system is basedon usage of helper data schemes (HDSs). In order to combine biometricauthentication with cryptographic techniques, helper data is derivedduring the enrolment phase. The helper data guarantees that a uniquestring can be derived from the biometrics of an individual during theauthentication as well as during the enrolment phase. Since the helperdata is stored in a database, it is considered to be public. In order toprevent impersonation, reference data which is statistically independentof the helper data, and which reference data is to be used in theauthentication stage, is derived from the biometric. In order to keepthe reference data secret, the reference data is stored in hashed form.In this way impersonation becomes computationally infeasible.

In HDSs, biometric information in the form of a feature vector of acertain fixed dimension is required. If the feature vector obtainedduring enrolment resembles the feature vector obtained duringauthentication to a sufficient level, the helper data renders itpossible to derive the same unique string for the two feature vectors.As a measure of resemblance, a distance between the two feature vectorsmay be used. Thus, an HDS allows taking into account small differencesin the feature vectors that might be caused by measurement noise,distortion and omissions in the biometric templates.

In other schemes implemented in biometric authentication systems, thematching is performed based on location of well-distinguishable featuresin the templates. For example, systems using a fingerprint as abiometric template typically employ minutiae location in the templateswhen comparing them. Complicated algorithms operating directly on theactual minutiae locations are used to locate the minutiae and todetermine whether there is a match or not. These feature locationschemes (FLSs) also allow taking into account measurement noise,distortion and omissions in the location of the features to be matched,and also in general provide robust matching results. A combination ofthe helper data schemes and the feature location schemes is fruitful inthat desirable properties associated with the respective schemes can becombined into one single scheme.

A problem that remains in the prior art is that combination of thehelper data scheme with the feature location scheme is complicated. Thehelper data scheme requires feature vectors of fixed dimensions, andfurther that the distance between two feature vectors derived fromtemplates that resemble each other to a sufficient degree should besmall. Another problem to overcome in combining the two schemes is howto transform a set of feature locations into a feature vector having afixed dimension.

An object of the present invention is to provide a scheme in whichcorrespondence between location sets, which possibly are of differentsizes, is determined.

This object is attained by a method in accordance with claim 1 and asystem in accordance with claim 15.

According to a first aspect of the present invention, a method isprovided comprising the steps of transforming a first location setcomprising a number of components into a density function by summingaveraging functions shifted to locations indicated by selectedcomponents in the first location set, and determining a distance betweenthe density function and another density function that corresponds to asecond location set comprising a number of components, whereincorrespondence exists between the first and the second location set ifsaid distance complies with a predetermined distance value.

According to a second aspect of the present invention, a system isprovided comprising means for transforming a first location setcomprising a number of components into a density function by summingaveraging functions shifted to locations indicated by selectedcomponents in the first location set and means for determining adistance between the density function and another density function thatcorresponds to a second location set comprising a number of components,wherein correspondence exists between the first and the second locationset if said distance complies with a predetermined distance value.

A basic idea of the present invention is to provide a scheme in whichcorrespondence between location sets is determined. Note that in thefollowing, it is assumed that the inventive scheme operates on featurelocation sets derived from biometric data of an individual. However, thescheme can be operable on any location set, and not necessarily afeature location set.

First, a feature location set X={x₀,x₁, . . . ,x_(n)} comprising n+1components is transformed into a feature vector that can be used in anHDS. Therefore, a feature density function ƒ_(X,s)(x) is defined as$\begin{matrix}{{{f_{X,s}(x)} = {{s(x)}*{\sum\limits_{i = 0}^{n}\quad{\delta( {x - x_{i}} )}}}},} & (1)\end{matrix}$

Where * denotes convolution and s(x) is an averaging function. If it isassumed that, for example, s(x)=δ(x), then $\begin{matrix}{{f_{X,\delta}(x)} = {\sum\limits_{i = 0}^{n}{{\delta( {x - x_{i}} )}.}}} & (2)\end{matrix}$

If s(x)=e^(−ax) ² {circumflex over (=)}g(x), then $\begin{matrix}{{f_{X,g}(x)} = {\sum\limits_{i = 0}^{n}{{{\mathbb{e}}^{- a}( {x - x_{i}} )}^{2}.}}} & (3)\end{matrix}$

Hence, the location of every feature is represented by a Gaussian pulse.It is, in principle, possible to select any appropriate averagingfunction s(x), and it can be seen that a different choice for s(x) or adifferent value of the parameter “a” of Gaussian function g(x) willresult in different matching properties. In the following description,the Gaussian averaging function g(x) is used. Note that throughout thisdescription, in order to avoid unnecessarily complicated formulas, thescheme of the present invention will be described for locations given ina 1-dimensional space. As the skilled person realizes, the descriptioncan easily be extended to 2-dimensional or higher dimensional spaces.The feature vector for the HDS is now chosen to be ƒ_(X,g)(x).Typically, this will be a sampled version of the feature densityfunction ƒ_(X,g)(x), which results in feature vectors of equal andfinite dimensions regardless of the number n+1 of features (i.e.components) that are present in the template X_(T).

Thereafter, a distance between two feature location sets is determined.Assume that a first feature location set X={x₀,x₁, . . . ,x_(n)} and asecond feature location set Y={x′₀,x₁′, . . . ,x′_(m)} are derived fromthe individual. The second set is, in the case where the two sets arederived from the same individual, typically a noisy version of the firstset, and the second set does not necessarily comprise the same number ofcomponents as the first set. For example, due to measurement noise, somefeatures may become obscured in the measured biometric templates and areconsidered “invisible”. Hence, it is possible that n≠m.

Thus $\begin{matrix}{{{{f_{X,g}(x)} = {\sum\limits_{i = 0}^{n}{{\mathbb{e}}^{- a}( {x - x_{i}} )}^{2}}};}\quad{and}} & (4) \\{{f_{Y,g}(x)} = {\sum\limits_{i = 0}^{m}{{{\mathbb{e}}^{- a}( {x - x_{i}^{\prime}} )}^{2}.}}} & (5)\end{matrix}$

The distance d_(X,Y) between X and Y is chosen to be the Euclidiandistance between the corresponding feature density functions andconsequently $\begin{matrix}{d_{X,Y}^{2} = {\int_{- \infty}^{\infty}{( {{f_{{X,g}\quad}(x)} - {f_{Y,g}(x)}} )^{2}\quad{{\mathbb{d}x}.}}}} & (6)\end{matrix}$

In order to illustrate variations in this distance measure due tovariations in the feature vectors, an example is given. For X={0} andY={x₀}, it is derived that $\begin{matrix}{{d_{X,Y}^{2}( x_{0} )} = {\sqrt{\frac{2\pi}{a}}{\{ {1 - {\mathbb{e}}^{{- \frac{a}{2}}x_{0}^{2}}} \}.}}} & (7)\end{matrix}$

It is realized that for the choice of g(x) as an averaging function, thedistance d_(X,Y) between the feature location sets X, Y (and hence thecorresponding feature vectors ƒ_(X,g)(x), ƒ_(Y,g)(x)) graduallyincreases as the value of x₀ moves away from zero thus making X and Ymore dissimilar. It is also realized that the parameter “a” can be usedto adjust the distance for a given ‘dissimilarity’ and thus allowsadjusting the sensitivity (i.e. the noise robustness) of the matchingprocess with respect to measurement noise and distortion.

For an example in which X={0}, Y₁{1} and Y₂={2}, it is clear that, usingthis distance measure and averaging function, d_(X,Y) ₁ <d_(X,Y) ₂ . Ifthe average function would be chosen such that s(x)=δ(x), the change indistance between X and Y would become rather abrupt and the slightestmeasurement noise or distortion would immediately result in a largedistance d_(X,Y) between the feature vectors. In practice, this is notdesired and a more gradual increase of the distance is required.Assuming that a predetermined threshold value of 1.5 is set as a maximumvalue of the distance d_(X,Y) for which it is considered that Y complieswith X, and that a=1 in (7), then Y₁ is considered to comply with X,while Y₂ is considered not to comply with X In the case the scheme isapplied in a biometric authentication system, the individual associatedwith Y₁ is authenticated, while authentication for the individualassociated with Y₂ fails.

The present invention is advantageous, since the proposed distancemeasure in combination with density functions derived from featurelocations sets using an appropriate averaging function can be used inmatching sets of feature locations derived from biometric templates. Inparticular, the present invention is advantageous since the two featurelocation sets to be compared to check for correspondence may contain adifferent number (i.e. n≠m) of components due to noise contamination,and that problem is overcome by the present invention. Another highlyadvantageous feature of the present invention is that the order of thetwo feature location sets is immaterial, i.e. it is irrelevant whether acomponent that has a certain index in the first location set (X)corresponds to a component having the same index in the second locationset (Y). This is due to the fact that a density function is used, whichfunction sums all components in the location sets. Hence, the particularorder of the components has no significance.

According to an embodiment of the present invention, the determinationof the distance between two feature vectors is performed in thefrequency domain. The distance measure defined in the spatial domainhereinabove can alternatively be defined in the frequency domain. Again,assume that a first feature location set X={x₀,x₁, . . . ,x_(n)} and asecond feature location set Y={x′₀,x₁′, . . . ,x′_(m)} are derived fromthe individual. In analogy with (2): $\begin{matrix}{{{{f_{X,\delta}(x)} = {\sum\limits_{i = 0}^{n}\quad{{\delta( {x - x_{i}} )}\overset{F}{\longleftrightarrow}{F_{X,\delta}(\omega)}}}};}{and}} & (8) \\{{f_{Y,\delta}(x)} = {\sum\limits_{i = 0}^{m}\quad{{{\delta( {x - x_{i}} )}\overset{F}{\longleftrightarrow}{F_{Y,\delta}(\omega)}}.}}} & (9)\end{matrix}$

A Gaussian filter is applied $\begin{matrix}{{H(\omega)} = \sqrt{\frac{\pi}{a}{\mathbb{e}}^{{- \pi^{2}}{\omega^{2}/a}}}} & (10)\end{matrix}$to both F_(X,δ)(ω) and F_(Y,δ)(ω)) to obtain F_(X,δ) ^((H))(ω) andF_(Y,δ) ^((H))(ω), respectively. The following function is defined$\begin{matrix}{d_{X,Y,\delta,H}^{2} = {\int_{- \infty}^{\infty}{( {{F_{X,\delta}^{(H)}(\omega)} - {F_{Y,\delta}^{(H)}(\omega)}} )^{2}{{\mathbb{d}\omega}.}}}} & (11)\end{matrix}$

The same matching properties are achieved in the frequency domain ascompared to the spatial domain and with a distance measure based on the2-norm, both approaches are identical. Parseval's theorem concludes that$\begin{matrix}{{{\int_{- \infty}^{\infty}{{{f(x)}}^{2}{\mathbb{d}x}}} = {\int_{- \infty}^{\infty}{{{F(\omega)}}^{2}{\mathbb{d}\omega}}}},} & (12)\end{matrix}$for the distance determination, the following holdsd_(X,Y) ²=d_(X,Y,δ,H) ².   (13)

Thus, matching can be effected in the frequency domain if a Fouriertransform of the averaging function in the spatial domain is employed toperform the filtering in the frequency domain, which can be advantageousin some situations, for example when the sets of locations must be madetranslation and rotation invariant. Just as with matching in the spatialdomain, the filter characteristic may be adjusted to adjust thesensitivity of the matching process.

In this description, a distance measure is defined for densityfunctions, which enables noise-robust matching. A Gaussian function isused as averaging function to illustrate how the value of a gradualdistance change between feature location sets can be tuned to differentlevels of sensitivity. A person skilled in the art realizes that thereexist many possible averaging functions that can be used, and theGaussian function is just one of these many possible averagingfunctions. The choice of the actual averaging functions depends on theparticular application in which the present invention is implemented.

In (6) and (12), the distance between two feature location sets isdetermined, wherein the same averaging function is employed to derivethe density function. However, it is not required that both densityfunctions are generated by using the same averaging function. Forexample, a Gaussian averaging function can be used to generate thedensity function for one of the sets and a δ-function can be used forthe other set. Moreover, the 2-norm was used in (6) to define thedistance between two functions. Although in many cases, such as manyHDSs, this will be a good choice, other distance measures can be chosento perform the matching, for example$d = {{n - {\sum\limits_{i = 0}^{n}\quad{f_{Y,g}( x_{i} )}}} = {{{n - {{f_{Y,g}( {- x} )}*{f_{X,\delta}(x)}}}❘_{x = 0}} = {n - {\int_{- \infty}^{\infty}{{F_{Y,g}( {- \omega} )}{F_{X,\delta}(\omega)}{\mathbb{d}\omega}}}}}}$

Note that in general, not every norm in the spatial domain carries overto the frequency domain or allows matching in the spatial frequencydomain.

The idea of the present invention has been formulated for a set offeature locations in a biometric template. However, the hereinabovedescribed distance measure can be used for any two sets of locations.These locations do not necessarily have to represent actual featurelocations derived from biometric data. For example, in order to makefeature location sets translation invariant, distance vectors betweenthe respective features (i.e. components) may be processed. Thesedistances vectors can also be seen as a set of locations. By applyingthe inventive distance measure on the derived set of locations,translation invariant matching may be achieved. The formulas that aregiven represent functionality and do not indicate how this functionalityshould be implemented. For example, although (1) is formulated as aconvolution, it does not state that a convolution integral should beevaluated. Particularly in (1), the convolution can be done moreefficient by summing a number of shifted averaging functions as can beseen in (3). Another possibility is to compute the convolution by firsttransforming both the averaging function s(x) and the sum of Diracpulses to the frequency domain, then multiplying both the transformedfunctions and finally perform an inverse Fourier transform. Similarly,the expressions F_(X,δ)(ω) and F_(Y,δ)(ω) in (8) and (9), respectively,need not be calculated using a real Fourier transform on a summation ofDirac pulses. It is clear that F_(X,δ)(ω) (and likewise F_(Y,δ)(ω)) canbe more efficiently obtained as a summation of functions of the forme^(−jωx) ¹ .

Further features of, and advantages with, the present invention willbecome apparent when studying the appended claims and the followingdescription. Those skilled in the art realize that different features ofthe present invention can be combined to create embodiments other thanthose described in the following.

A detailed description of preferred embodiments of the present inventionwill be given in the following with reference made to the accompanyingdrawings, in which:

FIG. 1 shows a prior art system for verification of an individual'sidentity (i.e. authentication/identification of the individual) usingbiometric data associated with the individual, in which system thepresent invention advantageously can be applied.

FIG. 1 shows a prior art system for verification of an individual'sidentity (i.e. authentication/identification of the individual) usingbiometric data associated with the individual, in which system thepresent invention advantageously may be employed. The system comprises auser device 101 arranged with a sensor 102 for deriving a firstbiometric template X_(T) from a configuration of a specific physicalfeature 103 (in this case an iris) of the individual, or even from acombination of physical features. The user device employs a helper datascheme (HDS) in the verification, and enrolment data S and helper data Ware derived from the first biometric template X_(T), resulting in afeature location set X. The user device must be secure, tamper-proof andhence trusted by the individual, such that privacy of the individual'sbiometric data is provided. The helper data W is typically calculated atthe user device 101 such that S=G(X_(F), W), where G is adelta-contracting function. Hence, W and S are calculated from a featurevector X_(F) using a function or algorithm F_(G) such that (W,S)=F_(G)(X_(F)). The first feature vector X_(F) is typically a vectorwith a predetermined number of entries.

An enrolment authority 104 initially enrolls the individual in thesystem by storing the enrolment data S and the helper data W receivedfrom the user device 101 in a central storage unit 105, which enrolmentdata subsequently is used by a verifier 106. The enrolment data S issecret to avoid identity-revealing attacks by analysis of S. At the timeof verification, a second biometric template Y_(T), which typically is anoise-contaminated copy of the first biometric template X_(T), isoffered by the individual 103 to the verifier 106 via a sensor 107. Fromthe second biometric template Y_(T), a second feature vector Y_(F) isderived, which typically comprises the same number of entries as thefeature vector X_(F). The verifier 106 generates secret verificationdata S′ based on the second feature vector Y_(F) and the helper data Wreceived from the central storage 105. The verifier 106 authenticates oridentifies the individual by means of the enrolment data S fetched fromthe central storage 105 and the verification data S′ created at a cryptoblock 108. Noise-robustness is provided by calculating verification dataS′ at the verifier as S′=G(Y_(F), W). The delta-contracting function hasthe characteristic that it allows the choice of an appropriate value ofthe helper data W such that S′=S, if the second biometric feature vectorY_(F) sufficiently resembles the first biometric feature vector X_(F).Hence, if a matching block 109 considers S′ to be equal to S,verification is successful.

In a practical situation, the enrolment authority may coincide with theverifier, but they may also be distributed. As an example, if thebiometric system is used for banking applications, all larger offices ofthe bank will be allowed to enroll new individuals into the system, suchthat a distributed enrolment authority is created. If, after enrolment,the individual wishes to withdraw money from such an office while usingher biometric data as authentication, this office will assume the roleof verifier. On the other hand, if the user makes a payment in aconvenience store using her biometric data as authentication, the storewill assume the role of the verifier, but it is highly unlikely that thestore ever will act as enrolment authority. In this sense, we will usethe enrolment authority and the verifier as non-limiting abstract roles.

As can be seen hereinabove, the individual has access to a device thatcontains a biometric sensor and has computing capabilities. In practice,the device could comprise a fingerprint sensor integrated in a smartcard or a camera for iris or facial recognition in a mobile phone or aPDA. It is assumed that the individual has obtained the device from atrusted authority (e.g. a bank, a national authority, a government) andthat she therefore trusts this device.

Now, when the present invention is applied in the system of FIG. 1, thefirst feature set X comprising n+1 components is derived from the firsttemplate X_(T) and is transformed into a feature density functionƒ_(X,s)(x), as previously described in (1), by performing a summation ofthe different components, and convolving the resulting sum with anaveraging function, whereby a new first feature vector X_(F)=ƒ_(X,s)(x)is created that advantageously can be used in an HDS. This willtypically be a sampled version of the density function, which results infeature vectors of equal and finite dimensions regardless of the numbern+1 of components present in the feature set X.

Thereafter, at the user device 101, the helper data W is typicallycalculated such that S=G(ƒ_(X,s)(x), W), where G is a delta-contractingfunction. Hence, W and S are calculated from the first feature vectorX_(F)=ƒ_(X,s)(x) using a function or algorithm F_(G) such that (W,S)=F_(G)(X_(F)). As mentioned hereinabove, W and S are stored at thecentral storage 105 via the enrolment authority 104. At the time ofverification, a second biometric template Y_(T) is offered by theindividual 103 to the verifier 106 via the sensor 107. The secondfeature location set Y derived from the second biometric templatecomprises m+1 components and is also transformed into a feature densityfunction ƒ_(Y,s)(x), as previously described in (1), whereby a newsecond feature vector Y_(F)=ƒ_(Y,s)(x) is created. The verifier 106generates secret verification data S′ based on the second feature vectorY_(F)=ƒ_(Y,s)(x) and the helper data W received from the central storage105. The verifier 106 authenticates or identifies the individual bymeans of the enrolment data S fetched from the central storage 105 andthe verification data S′ created at a crypto block 108. Noise-robustnessis provided by calculating verification data S′ at the verifier asS′=G(ƒ_(Y,s)(x), W).

As previously discussed, the delta-contracting property of G is usefulif the feature vectors X_(F) and Y_(F) are sufficiently similar as aresult of the biometric templates X_(T) and Y_(T) being sufficientlysimilar. This similarity between X_(F) and Y_(F) can be expressed as,for example, the Euclidian distance between Y_(F)=ƒ_(Y,s)(x) andX_(F)=ƒ_(X,s)(x) as given in (6) or (11). Thus, an inherent property ofthe delta-contracting function is that, if a matching block 109considers S′ to match S, i.e. if the Euclidian distance betweenY_(F)=ƒ_(Y,s)(x) and X_(F)=ƒ_(X,s)(x) is small enough, the verificationis successful.

The system for authentication/identification of the individual usingbiometric data associated with the individual as described above mayalternatively be designed such that the user device 101 performs theoperation of comparing S′ to S, in which case it may be necessary forthe verifier 106 or the enrolment authority 104 to provide the userdevice 101 with the centrally stored helper data W.

It is clear that the devices comprised in the system of the invention,i.e. the user device, the enrolment authority, the verifier and possiblyalso the central storage, is arranged with microprocessors or othersimilar electronic equipment having computing capabilities, for exampleprogrammable logic devices such as ASICs, FPGAs, CPLDs etc. Further, themicroprocessors executes appropriate software stored in memories, ondiscs or on other suitable media for accomplishing tasks of the presentinvention.

Further, it is obvious to a skilled person that the data and thecommunications in the system described above can be further protectedusing standard cryptographic techniques such as SHA-1, MD5, AES, DES orRSA. Before any data is exchanged between devices (during enrolment aswell as during verification) comprised in the system, a device mightwant some proof on the authenticity of another other device with whichcommunication is established. For example, it is possible that theenrolment authority must be ensured that a trusted device did generatethe enrolment data received. This can be achieved by using public keycertificates or, depending on the actual setting, symmetric keytechniques. Moreover, it is possible that the enrolment authority mustbe ensured that the user device can be trusted and that it has not beentampered with. Therefore, in many cases, the user device will containmechanisms that allow the enrolment authority to detect tampering. Forexample, Physical Uncloneable Functions (PUFs) may be implemented in thesystem. A PUF is a function that is realized by a physical system, suchthat the function is easy to evaluate but the physical system is hard tocharacterize. Depending on the actual setting, communications betweendevices might have to be secret and authentic. Standard cryptographictechniques that can be used are Secure Authenticated Channels (SACs)based on public key techniques or similar symmetric techniques.

Also note that the enrolment data and the verification data may becryptographically concealed by means of employing a one-way hashfunction, or any other appropriate cryptographic function that concealsthe enrolment data and verification in a manner such that it iscomputationally infeasible to create a plain text copy of theenrolment/verification data from the cryptographically concealed copy ofthe enrolment/verification data. It is, for example possible to use akeyed one-way hash function, a trapdoor hash function, an asymmetricencryption function or even a symmetric encryption function.

Even though the invention has been described with reference to specificexemplifying embodiments thereof, many different alterations,modifications and the like will become apparent for those skilled in theart. The described embodiments are therefore not intended to limit thescope of the invention, as defined by the appended claims.

1. A method of determining correspondence between location sets,comprising: transforming a first location set comprising a number ofcomponents into a density function by summing averaging functionsshifted to locations indicated by selected components in the firstlocation set; and determining a distance between the density functionand another density function that corresponds to a second location setcomprising a number of components, wherein correspondence exists betweenthe first and the second location set if said distance complies with apredetermined distance value.
 2. The method according to claim 1,wherein the summing of averaging functions shifted to locationsindicated by selected components in the first location set is effectedby performing a convolution of the averaging function with a sum ofDirac pulses at locations indicated by the selected components in thefirst location set.
 3. The method according to claim 1, wherein thedensity function is sampled to create a feature vector having a fixednumber of entries.
 4. The method according to claim 1, wherein saidlocation sets are feature location sets comprising feature components,which feature location sets are derived from biometric data associatedwith an individual.
 5. The method according to claim 4, wherein theidentity of the individual associated with the second feature locationset is verified if said distance complies with a predetermined distancevalue.
 6. The method according to claim 1, further comprising comparingthe determined distance with a predetermined threshold value, whereinthe first location set is considered to match the second location set ifthe value of said determined distance is less than said threshold value.7. The method according to claim 1, wherein the determined distancebetween the density functions is the Euclidian distance.
 8. The methodaccording to claim 1, wherein the determination of said distance isperformed in the spatial domain.
 9. The method according to claim 1,wherein the determination of said distance is performed in the frequencydomain.
 10. The method according to claim 9, further comprisingdetermining a Fourier transform of the first location set and the secondlocation set, wherein a specific location in the first and secondlocation sets is modeled as a Dirac pulse at said specific location. 11.The method according to claim 10, further comprising filtering, in thefrequency domain, the respective transformed first and second locationsets.
 12. The method according to claim 11, wherein the filteredrespective transformed first and second location sets are used asfeature vectors in biometric authentication systems.
 13. The methodaccording to claim 1, wherein the density functions are sampled tocreate feature vectors having a fixed number of entries to be used inbiometric authentication systems.
 14. A computer program, embodied in acomputer readable medium, for determining correspondence betweenlocation sets, comprising: transforming a first location set comprisinga number of components into a density function by summing averagingfunctions shifted to locations indicated by selected components in thefirst location set; and determining a distance between the densityfunction and another density function that corresponds to a secondlocation set comprising a number of components, wherein correspondenceexists between the first and the second location set if said distancecomplies with a predetermined distance value.
 15. A system fordetermining correspondence between location sets, the system comprising:means for transforming a first location set comprising a number ofcomponents into a density function by summing averaging functionsshifted to locations indicated by selected components in the firstlocation set; and means for determining a distance between the densityfunction and another density function that corresponds to a secondlocation set comprising a number of components, wherein correspondenceexists between the first and the second location set if said distancecomplies with a predetermined distance value.
 16. The system accordingto claim 15, wherein the summing of averaging functions shifted tolocations indicated by selected components in the first location set iseffected by the transforming means by performing a convolution of theaveraging function with a sum of Dirac pulses at locations indicated bythe selected components in the first location set.
 17. The systemaccording to claim 15, wherein the transforming means is arranged tosample the density function to create a feature vector having a fixednumber of entries.
 18. The system according to claim 15, wherein saidlocation sets are feature location sets comprising feature components,which feature location sets are derived from biometric data associatedwith an individual.
 19. The system according to claim 18, wherein theidentity of the individual associated with the second feature locationset is verified if said distance complies with a predetermined distancevalue.
 20. The system according to claim 15, wherein the means fordetermining a distance is arranged to compare the determined distancewith a predetermined threshold value, wherein the first location set isconsidered to match the second location set if the value of saiddetermined distance is less than said threshold value.
 21. The systemaccording to claim 15, wherein the determined distance between thedensity functions is the Euclidian distance.
 22. The system according toclaim 15, wherein the determination of said distance is performed in thespatial domain.
 23. The system according to claim 15, wherein thedetermination of said distance is performed in the frequency domain. 24.The system according to claim 23, wherein the transforming means and thedetermining means are further arranged to determine the Fouriertransform of the first location set and the second location set, whereina specific location in the first and second location sets is modeled asa Dirac pulse at said specific location.
 25. The system according toclaim 24, wherein the transforming means and the determining means arefurther arranged to filter, in the frequency domain, the respectivetransformed first and second location sets.
 26. The system according toclaim 25, wherein the respective transformed first and second locationsets are used as feature vectors in biometric authentication systems.27. The system according to claim 15, wherein the transforming means andthe determining means are arranged to sample the density functions tocreate feature vectors having a fixed number of entries to be used inbiometric authentication systems.